On Fri, Jan 11, 2008 at 11:07:49AM +0001, Jason McIntyre wrote:
| > an inclusive match is usually better e.g.
| > pass proto tcp from any os "OpenBSD" to port ssh
|
| that could be less useful if you have ipv6 connections in, no? since
| pf.os(5) claims only to be able to fingerprint hosts "that originate an
| IPv4 TCP connection".
|
| but maybe the ssh client will fall back to using ipv4 if it meets that.
| i am unsure.
It should fall back to v4 connections, but this is generally not what
you want. In my experience (from my logs) I see that all these brute
forcing lunixtics use v4 so a rule to pass v6 ssh traffic without the
limitations you have for v4 should help there.
You'll need to revisit that once brute forcers start using v6 but
you'll be good for some time. It's like spam : I've *NEVER* seen a
spammer use IPv6 so I don't filter IPv6 mail until I do.
Cheers,
Paul 'WEiRD' de Weerd
--
>++++++++[<++++++++++>-]<+++++++.>+++[<------>-]<.>+++[<+
+++++++++++>-]<.>++[<------------>-]<+.--------------.[-]
http://www.weirdnet.nl/
